Cybersecurity bill seeks to give president new powers over private-sector networks

Provision enabling White House to shut down critical infrastructure networks for security reasons may be a hard sell for bill's proponents

A wide-ranging cybersecurity bill introduced in the U.S. Senate this week would give the president unprecedented new powers to disconnect government and private-sector networks from the Internet in the event of security emergencies. But that provision is expected to be a hard sell in Congress.

The proposed bill, formally known as the Cybersecurity Act of 2009, was filed on Wednesday by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The legislation includes a long list of provisions that would give federal officials significant new authority to set and enforce data security standards for federal agencies, government contractors and key parts of the private sector.

For instance, the bill would empower the National Institute of Standards and Technology (NIST) to develop "measurable and auditable" security standards for government entities as well as companies in critical infrastructure industries. Meanwhile, Rockefeller and Snowe also introduced a companion bill that calls for the addition of a national cybersecurity adviser within the Executive Office of the President.

But the provision that is attracting the most attention is buried deep in the 51-page bill, in a section blandly titled "Cybersecurity Responsibility and Authority." It would give the president broad authority to directly intervene in security matters in both the public and private sectors. For starters, the bill would give the president the power to declare security emergencies and then curtail or shut down Internet traffic to and from any compromised federal or critical infrastructure networks.

The measure would also enable the White House to order individual government or critical private-sector networks to be disconnected from the Internet for reasons of national security. In addition, the president could classify any corporate network as a piece of critical infrastructure.

The presidential-powers provision makes the proposed legislation "a sweeping federal takeover of cybersecurity" responsibilities, said Leslie Harris, president and CEO of the Center for Democracy & Technology, a Washington-based think tank and lobbying group. If the bill is signed into law as written, it would give the executive office "unfettered discretion" to exert control over private-sector networks on national security grounds, Harris claimed.

That could result in a "breathtaking power grab" by the White House, added Harris, who said the provision appears to assume that the government is better than the private sector is at identifying security threats and responding to them during emergencies.

Gartner Inc. analyst John Pescatore agreed that as currently written, the cybersecurity bill is a "major overreach." Some aspects of the bill would be welcome if they were focused specifically on improving federal cybersecurity initiatives, he said. NIST, for instance, should be playing a more active role in developing government security standards, and the intelligence community shouldn't be in charge of the federal security agenda, according to Pescatore.

"However, trying to have the government enforce cybersecurity standards on private industry would be a major step in the wrong direction," he said. "It would slow down the reaction time to new threats, not speed it up."

The Rockefeller-Snowe bill is loosely modeled on a set of cybersecurity recommendations issued last December by a commission that was set up by the Washington-based Center for Strategic and International Studies (CSIS) in late 2007, in an attempt to provide some external guidance to the next president.

James Lewis, director of the technology and public policy program at the CSIS, said that he thinks the proposed legislation does a good job overall of addressing several key security-related issues. "I love the bill," Lewis said. "It is really bold." But the provision granting the president new authority over private-sector networks will "trigger some debate," he conceded. "That is clearly going to be a problem for some people."

Lewis said he sees it as a "no-brainer" for the president to be able to exert whatever control is needed over federal networks in the interests of national security. He noted that the Defense Information Systems Agency already has the authority to pull the plug on any military network that poses national security risks. There's no reason why a similar authority shouldn't be extended to the executive office for all federal networks, he said.

"The larger issue is whether [the president] should have similar authority for critical infrastructure," Lewis added. "You have to think carefully about extending [such powers] to nongovernmental sectors." Any control over private-sector networks that were granted to the White House under the bill would need to be properly scoped, he said.

Copyright © 2009 IDG Communications, Inc.

  
Shop Tech Products at Amazon